IPSec Routing Problem

Unanswered Question
Jan 30th, 2008
User Badges:

Hi All,


We have successfully configure site to site IPSec. If interesting traffic hits the outgoing interface, the tunnel comes up on both ends, you can also see packets been encrypted.


I'm having routing problems local, I don't have route that points local remote traffic via the IPSec VPN.


remote peer: 89.3.2.1

remote local: 192.168.1.0/24


local peer: 50.3.3.1

local private: 10.2.5.0/24


tried the following locally:

ip route 192.168.1.0 255.255.255.0 89.3.2.1

'didn't work'


ip route 192.168.1.0 255.255.255.0 50.3.3.1

'didn't work'


Please help!!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/31/2008 - 00:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You don't need a route for this traffic. The crypto map access-list tells the router/firewall which traffic needs to be encrypted. If a packet matches the crypto access-list it is encrypted and automatically sent down the tunnel.


Jon

dcarlton Thu, 01/31/2008 - 05:45
User Badges:

Are you using crypto maps? What does your interesting traffic access look like?

Eliufoo.Mahinda Thu, 01/31/2008 - 06:07
User Badges:

I'm using crypto maps. My local access list is


access-list 144 permit ip 10.2.5.0 0.0.0.255 192.168.1.0 0.0.0.255


If I run "show access-list 144" I can see interesting traffic. Also, if i run "show crypto engine connection active" I can see traffic been encrypted. But, I don't have {192.168.1.0/24} route in the routing table. And traffic is not going through the tunnel.

cisco24x7 Thu, 01/31/2008 - 10:55
User Badges:
  • Silver, 250 points or more

do this:


1- under your crypto map, you need this:

reverse-route

2- do sh ip route, you will see a static route

in the routing table,

3- redistribute that static route into your

routing protocol so that downstream router(s)

can see it,

4- test again


CCIE Security

Eliufoo.Mahinda Fri, 02/01/2008 - 00:06
User Badges:

Now, I've the route into my routing table and I still can't reach the remote end.


If i run a traceroute from the local host, it stops at my internal router interface. Where else should I check?

i. My VPN is up

ii. Route to remote host is available

dcarlton Fri, 02/01/2008 - 04:41
User Badges:

When you did the trace route, what did you use for the source interface? This source interface has to have a match in the access list.

Eliufoo.Mahinda Sun, 02/03/2008 - 22:23
User Badges:

I'm running a trace route from 10.2.5.2 (a local node).


If I run a ping test to 192.168.1.6 (active remote node), the acl sees the interesting traffic, brings up the VPN and Encaps destn traffic. But i still don't reach the remote node.

kaachary Mon, 02/04/2008 - 08:40
User Badges:
  • Cisco Employee,

You traffic has already left the device if you see encrypts. It seems either the replies are not coming back from the other end, or the packet drops after it leaves the local device.


Do you see encrypts/decrypts on the other end of the tunnel ?


Source a ping from the LAN intf of VPN device itself, and ping the remote ends LAN interface (provided it is part of crypto ACL).


HTH,


-Kanishka

Eliufoo.Mahinda Sun, 02/10/2008 - 21:25
User Badges:

SOLVED!!! :-)


After writing some emails to my ISP, manage to see remote encry traffic.


Thanks everyone.

Actions

This Discussion